Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research.
Unit 42 digs into the recent OilRig data dump and finds new information on the breadth of attacks and OilRig’s toolset. Our analysis show OilRig attacks are broader than previously thought: 97 organizations in 27 countries, including the Middle East and China and 18 industries – including government, technology, telecommunications and transportation.
In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia. In this blog, we outline our findings around a new campaign we’ve named the Aggah Campaign based on the actor’s alias “hagga”.
On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel. To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig.
In November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they used in campaigns reported earlier in 2018. Unit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.
The DarkHydrus group has begun using a new version of the RogueRobin backdoor. This version is written in C# and in addition to using DNS Tunneling for command and control, can also use Google Drive.
Unit 42 has continued researching the Shamoon 3 attacks that impacted an oil and gas organization and identified another wiper Trojan
The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns.
On December 10, a new variant of the Disttrack malware was submitted to VirusTotal that shares a considerable amount of code with the Disttrack malware used in the Shamoon 2 attacks in 2016 and 2017.
The Sofacy group continued their global attack campaigns between October and November, primarily targeting NATO-aligned nation states and former USSR states and delivering Zebrocy or Cannon.
Unit 42’s continued look into Sofacy reveals global attacks and wheels out new ‘Cannon’ trojan.
Unit 42’s continued look into OilRig analyzes the group’s operational tempo, including testing, weaponization and attack delivery.
Unit 42’s continued look into the OilRig threat group uncovers the use of spear-phishing emails to deliver an updated version the BONDUPDATER Trojan.
The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing
Following up on previous research, Unit 42 investigates the DarkHydrus threat group’s use of phishery to harvest credentials in the middle east. Read the full report.